W32/Agobot-KC or a process known as wmmon32.exe

information from the SOPHOS antvirus home site


http://www.sophos.com/

W32/Agobot-KC
Aliases
Backdoor.Agobot.gen, W32/Gaobot.worm.gen.f, W32.HLLW.Gaobot.gen

Type
Win32 worm

Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the August 2004 (3.84) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update.


At the time of writing, Sophos has received just one report of this worm from the wild.

Description
W32/Agobot-KC is a backdoor worm which spreads to computers protected
by weak passwords.

When first run W32/Agobot-KC moves itself to the Windows system folder
as wmmon32.exe and creates the following registry entries to run itself on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration= "wmmon32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration= "wmmon32.exe"

Each time the worm is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs continuously in the
background, allowing a remote intruder to access and control the computer
via IRC channels.

W32/Agobot-KC attempts to terminate and disable various anti-virus and
security-related programs. The worm also modifies the HOSTS file in the
Drivers\etc subfolder of the Windows system folder, preventing access to
many anti-virus web sites.

Additionally, the worm may attempt to delete local network shares, and to
steal registration keys for software products installed on the user's
computer.

Recovery
Please follow the instructions for removing worms.


Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration= "wmmon32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration= "wmmon32.exe"

and delete them if they exist.

Close the registry editor.
I discovered this on one of my systems today on a regular check of everything so be warned !!! :mad:
 
Top